Debugging the Tech Industry’s “Bug Bounty” Programs

To avoid notifying consumers of a data breach, Uber disguised an extortion payment to a hacker as a prize for discovering a “bug” in its code. Now lawmakers are looking to prevent bug bounties from being hijacked in the future.

Uber's John Flynn testifying at a Senate committee hearing on Tuesday
AP Photo/Susan Walsh
Brendan Bordelon
Add to Briefcase
Brendan Bordelon
Feb. 6, 2018, 8 p.m.

Over the last five years, an unlikely romance has bloomed between hackers and top-tier tech companies.

Instead of using their powers for evil, some “white-hat” hackers have offered to find a corporation’s network vulnerabilities and, for a fee, disclose them to the owners. Although initially wary, thousands of companies have now created “bug bounty” programs, through which they pay hackers prize money for discovering and disclosing “bugs” in their systems.

Until recently, most observers saw bug-bounty programs as an unalloyed good—a way to enhance corporate cybersecurity while simultaneously turning talented hackers away from a life of crime and punishment.

But that was before Uber Technologies’ belated disclosure of a November 2016 data breach that saw the theft of data from 57 million users, including 25 million Americans, and 600,000 U.S. driver-license numbers. In an apparent ploy to avoid disclosing the theft, Uber chose to instead pay a $100,000 ransom to the two hackers under the auspices of a bug-bounty program it first enacted earlier that year.

The breach was not disclosed to consumers or law enforcement until November 2017, one year after the incident and several months after new management had taken over at Uber. Several states have opened investigations into whether the lack of disclosure violated state data-breach-notification laws, but the federal role in the controversy has so far been unclear.

Now the Senate is looking to change that. Sen. Jerry Moran, the chairman of the Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, convened a hearing on Tuesday to discuss ways to prevent the hijacking of bug-bounty programs for nefarious purposes. And all options—from federal breach-notification requirements to hard limits on bug-bounty pricing and the preemption of a patchwork of state notification laws—appear to be on the table.

In the ride-sharing company’s first public admission of fault, John Flynn, Uber’s new information-security officer, told the Senate panel there was “no justification” for his company’s behavior. “We recognize that the bug-bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company,” Flynn said.

Flynn added that the actual theft of data distinguished this case from a typical bug bounty, in which hackers would merely identify a vulnerability without subsequently exploiting it.

Those in the bug-bounty industry, however, worry that the damage has already been done. Casey Ellis, the founder and chief technology officer of Bugcrowd, said the Uber incident has reawakened mutual suspicions between tech companies and hackers.

“This concept of, ‘Well, are bug bounties basically just extortion that happens on a more controlled level? Is this essentially money laundering, like hush money for hackers?’—it’s almost like the mud in the water started to settle, and this whole thing has stirred that mud back up,” Ellis said. “So that’s the part that I’ve found really frustrating.”

Ellis cautioned lawmakers against a knee-jerk reaction, warning that new rules could prove “onerously restrictive on the benefits of interacting with the hacker community, whilst sort of ignoring the fact that the bad guys don’t read the law.”

But Moran all but promised legislation to prevent another incident of extortion masquerading as a bug-bounty payout. “There is a lot of interest in legislation, [and] there has been for a while,” Moran told reporters after the hearing.

Democratic Sens. Bill Nelson and Richard Blumenthal also touted their own bill, the Data Security and Breach Notification Act, as a vehicle to greater accountability. Among other provisions, their bill would empower the Federal Trade Commission to take greater steps to enforce federal bug-bounty standards.

Observers see two potential problems with bug-bounty programs as they’re currently constituted. One is the corporate confusion over whether a breach stemming from a bug-bounty program should be disclosed, and to whom.

“If lots of personal information of customers or employees is accessed, that’s going to almost certainly trigger some regulatory notification obligation,” said Avi Gesser, a cybersecurity lawyer at Davis Polk. “And you usually can’t make that go away by just dealing with the person who hacked you—even if you don’t call it a hack.”

Uber’s Flynn seemed eager to admit his company’s mistake in failing to notify consumers and law enforcement. He pledged to work with lawmakers to create new notification requirements and supported the preemption of a “patchwork” of state notification laws with a federal framework.

The other issue relates to the often flexible pricing of bug bounties. Reports indicate that Uber initially sought to pay the hackers the standard $10,000 bug-bounty fee for their find, only to have that offer rebuffed in favor of a $100,000 payment. Experts say that type of haggling isn’t unusual in the bug-bounty world—but it can be destructive.

“Why would a hacker turn in a bug and follow the rules for $10,000 when the term ‘bug bounty’ has been muddied to include downloading 57 million records and getting paid $100,000 for that data theft?” asked Katie Moussouris, the chief executive of Luta Security, who testified on Tuesday. “I think that is a line that should be very, very clear that bounties should not be negotiable in that way.”

But Flynn seemed less eager to support a hard price cap on bug bounties. The Uber executive deflected when Sen. Blumenthal asked him if he’d support nonnegotiable and clearly defined terms for any vulnerability brought to his company’s attention, instead saying it’s important for companies to have procedures in place after the fact.

Moran couldn’t say when bug-bounty legislation is coming down the pike. But he hinted that it could be wrapped in a broader data-security bill, and would almost certainly include new breach-notification requirements for bug bounties gone wrong.

“I think there is a role for the law to play in finding the right parameters for this activity,” he told reporters after the hearing.

What We're Following See More »
Giuliani: Mueller Has Agreed to Narrow Scope of Trump Interview
2 days ago

"Rudy Giuliani said Friday that special counsel Robert Mueller has agreed to narrow the scope of a potential interview with President Donald Trump from five topics to two. The former New York City mayor, who is now one of Trump's lawyers in the Russia investigation, told CNN's Chris Cuomo on New Day that Mueller is not considering asking the President about his former personal attorney Michael Cohen, who's under investigation in New York over his business dealings."

Law Enforcement Source: Reports of Cohen’s Suspicious Activity Disappeared
3 days ago

Michael Cohen's financial records, given to the media last week, were leaked by a law enforcement official who "had grown alarmed after being unable to find two important reports on Cohen’s financial activity in a government database. The official, worried that the information was being withheld from law enforcement, released the remaining documents." He told the New Yorker: "This is a terrifying time to be an American."

Senate Intel Says Russians Intervened to Help Trump
4 days ago
North Korea Threatens to Cancel Summit
4 days ago
Trump Trying to Negotiate Way Forward for ZTE
6 days ago

"President Donald Trump said he was working with Chinese President Xi Jinping to keep ZTE Corp. in business, throwing an extraordinary lifeline to the Chinese telecommunication giant that has been laid low by U.S. moves to cut off its suppliers. The surprise intervention comes less than a month after ZTE was hit with an order banning U.S. companies from selling components to the Chinese business."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.